Unlimited Password History

In Password Manager, password history is "infinite" by default. Unless
specifically allowed, users are prevented from reusing passwords at all.
Where password reuse is allowed, it is based on a time interval,
rather than the number of intervening password changes.
Password history is stored in a one-way, non-reversible hash (SHA-512 with a
512 bit salt).

Password Aging / Expiration

To enforce password expiration and to get users to trigger web-based
password synchronization, Password Manager is configured to detect upcoming
password expiration on individual systems (e.g., Windows, AD, LDAP,
etc.) or based on the last time a user changed his passwords using
Password Manager and to remind users to change their passwords using the
Password Manager web UI.

Password expiration is normally configured so that users change their
passwords with Password Manager web portal on a shorter expiry interval
than the native password expiry on any system. This way, Password Manager
prompts users to change passwords before any other system does and
users are never prompted to change expired passwords by other systems
or applications.

Early notification of upcoming password expiration is a viable
alternative to transparent password synchronization, especially in
cases where it is impossible to trigger synchronization from the
primary login system that users most often use.

Users can be notified of upcoming password expiration by e-mail.
Alternately, a small client program can be triggered at user login time,
which checks whether the user currently logging in is on the
list of "soon to expire" users and -- if so -- opens the user's default
web browser to a URL that asks the user to change his passwords.

The same small program can be used to make the password change mandatory,
by opening a kiosk-mode web browser to the password change
web portal and requiring the user to change passwords before they can
close this browser and access their desktop.